Trouble executing a Graph API function with my App / Granted permissions not recognized by Graph API

Mykhailo Saienko 5 Reputation points
2025-01-27T07:38:00.29+00:00

Dear Community,

I am trying to set up an AD B2C-based signup-or-signin flow using e-mail/password or the Google identity provider. To make the process reproducible, I would like to develop a script (ideally az cli-based or by using az rest calls to whatever APIs necessary) which does this for me.

I didn't find a means to set up the B2C tenant programmatically, so I created one manually. Let's say its id is stored in $b2cTenantId.

I have created the app registration (all variables are properly set) and generated a secret.

    $app = az ad app create `
        --display-name $appRegistrationName `
        --sign-in-audience "AzureADMultipleOrgs" `
        --web-redirect-uris $webRedirectUris `
        --public-client-redirect-uris $mobileRedirectUris `
        --query '{appId: appId, objectId: id}' | ConvertFrom-Json
    $appId = $app.appId
    $appObjectId = $app.objectId

    $clientSecret = az ad app credential reset `
        --id $appId `
        --append `
        --display-name "AuthSecret" `
        --years 1 `
        --query 'password' -o tsv

After that I granted the necessary Graph rights to my App (and verified that they were added and the admin consent was granted)

    # To add the provider to the user flow
    $permissionId = az ad sp show `
        --id 00000003-0000-0000-c000-000000000000 `
        --query "appRoles[?value=='IdentityUserFlow.ReadWrite.All'].id" `
        --output tsv
    
    az ad app permission add --id $appObjectId `
        --api 00000003-0000-0000-c000-000000000000 `
        --api-permissions $permissionId=Role

    # To actually create and configure providers
    $permissionId = az ad sp show `
        --id 00000003-0000-0000-c000-000000000000 `
        --query "appRoles[?value=='IdentityProvider.ReadWrite.All'].id" `
        --output tsv

    az ad app permission add --id $appObjectId `
        --api 00000003-0000-0000-c000-000000000000 `
        --api-permissions $permissionId=Role

    # To make the permission effective, we need to give admin consent
    az ad app permission admin-consent --id $appObjectId

Then I logged in as the App

az login --service-principal --username $appId --password $clientSecret --tenant $b2cTenantId --allow-no-subscriptions

Then, I added the signup-or-signin userflow

az rest --method post `
        --uri "https://graph.microsoft.com/beta/identity/b2cUserFlows" `
        --headers '{\"Content-Type\": \"application/json\"}' `
        --body  ('{\"id\": \"' + $policyName + '\", \"userFlowType\":\"signUpOrSignIn\", \"userFlowTypeVersion\": 3}')

It worked: The IdentityUserFlow.ReadWrite.All-permission I have granted before was correctly used here!

But now, when I try to add the Google Identity Provider

az rest --method post `
            --uri "https://graph.microsoft.com/beta/identity/identityProviders" `
            --headers '{\"Content-Type\": \"application/json\"}' `
            --body  ('{\"@odata.type\": \"microsoft.graph.socialIdentityProvider\", \"clientId\": \"' `
                + $env:GOOGLE_CLIENT_ID + '\", \"clientSecret\":\"' + $env:GOOGLE_CLIENT_SECRET + '\",' + `
                '\"identityProviderType\": \"Google\", \"displayName\" : \"Google Auth Provider\", \"id\": \"' + $GoogleAuthId + '\"}')

it fails with and error

ERROR: Forbidden({"error":{"code":"AADB2C","message":"The application does not have any of the required application permissions (IdentityProvider.ReadWrite.All) to access the resource. ","innerError":{"correlationId":"6c44586d-xxxx-xxxx-xxxx-79e09fcdbdc5","date":"2025-01-26T18:54:17","request-id":"d0a67892-xxxx-xxxx-xxxx-f355e27be175","client-request-id":"d0a67892-xxxx-xxxx-xxxx-f355e27be175"}}})

But I have explicitly checked that the permission for the app exists and creating user flow with this method worked alright! What am I missing here?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,052 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Mykhailo Saienko 5 Reputation points
    2025-01-27T10:22:32.0766667+00:00

    To answer my own question: I have also granted the IdentityProvider.Read.All permission and the script went through.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.